The present invention relates to a packet relay apparatus, and more particularly to a packet relay apparatus for reducing the load on a processing unit.
In MAC address authentication in a network authentication system, an authentication server determines whether to permit or prohibit communication of a packet transmitted from a terminal, based on the source MAC address of the packet as information for authentication.
In a network authentication system, a packet relay apparatus discards a packet to be communicated to a core network from an unauthenticated terminal or from a terminal whose communication is prohibited by an authentication server. The packet relay apparatus relays communication of a packet from a terminal whose communication is permitted by the authentication server.
When MAC authentication is performed in the packet relay apparatus, all packets transmitted from a terminal will be target packets for authentication. For this reason, all packets transmitted from an unauthenticated terminal are transferred to a CPU of the packet relay apparatus, until communication permission is granted as the determination result of the authentication server and the communication permission is then set in the packet relay apparatus.
The packet relay apparatus typically performs authentication processing, even when receiving a packet from a terminal that is not intended to be authenticated. Further, the packet relay apparatus may use other authentication methods, such as IEEE802.1X authentication and Web authentication, depending on OS or application running on a single terminal. However, even in the case of using such authentication methods, the packet relay apparatus first tries authentication using MAC address authentication for all received packets.
JP-A-2007-267315 discloses a switching apparatus with a multi-authentication function including proxy authentication means. The proxy authentication means proxy-authenticates a communication party, using authentication history information of authentication history storage means. Further, the proxy authentication means proxy-authenticates using a function relating to acquisition of information about digital signature certification, within proxy authentication expansion means.